t oo created AIRFLOW-4181:
-----------------------------
Summary: [security] ui - Server Information Disclosure
Key: AIRFLOW-4181
URL: https://issues.apache.org/jira/browse/AIRFLOW-4181
Project: Apache Airflow
Issue Type: Improvement
Components: security, ui
Reporter: t oo
The Airflow application reveals server information through HTTP response
headers. The following information is provided:
Server: gunicorn/19.9.0. The application also allows access to a default
monitoring page /health which provides a small amount of information about the
server status.
Business Impact/Attack Scenario
Information regarding the web server, version information, frameworks,
development methodology or anything related to the infrastructure of an
application may be collected by an attacker. Information gathered may then be
used to perform targeted research, vulnerability or exploit development against
known components or social engineering style attacks against application
owners. Information gathered also increases the likelihood of compromise in the
event publicly disclosed vulnerabilities are released.
Recommendation
Remove the information from application’s HTTP headers in response. Modify
gunicorn's conf.py and change the following parameter: gunicorn.SERVER_SOFTWARE
= '<change_server_info_here>'.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
